Good writeup. I don't want to lose the fact that we've got this in play,
so I've put in a pointer to your mail message in our wiki discussion
space:
http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals
Mez
Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect
<michael.mccormick@wellsfargo.com>
04/20/2007 04:08 PM
To
<Mary_Ellen_Zurko@notesdev.ibm.com>
cc
<public-wsc-wg@w3.org>
Subject
RE: Favicon anti-pattern
Per MEZ's request, I offer the following additional content regarding
favicons.
First, I did find a single paragraph in the current Note (use cases)
regarding favicons that I feel needs updating:
9.2.5 Favicon
The URL bar may display a logo retrieved from a location specified in the
web site's content, or discovered in a well known location [favicon]. In
either case, the choice to display a logo, and what image to use, is at
the discretion of the visited web site. In some browsers the favicon logo
is also displayed in Bookmarks/Favorites listings and associated toolbar
buttons, window titles, tab titles, and elsewhere. No central
organization exists to control or approve these images.
The text I propose we append appears above in red. (Last 2 sentences for
those not viewing this email as HTML or suffer red-blue color blindness).
Second, there is the matter of Recommendations. I personally believe
favicons undermine security context. Mary Ellen challenged me to document
my reasons for this so WSC can possibly document favicons as an anti
pattern:
Whether consciously or unconsciously, many users are beginning to view
favicon logos as security context information. Specifically, they feel
that seeing the logo they expected for a particular site is somehow an
assurance the site is genuine. Because the logo appears in browser chrome
rather than the HTML page, it creates an impression that the logo is more
"official".
This is a mistake on the users' part because no central organization
controls or approves the assignment of favicons to sites. A malicious
entity can steal the exact logo used by a legitimate site (or create a
visually indistinguishable logo) and associate it with a different site
for impersonation purposes.
Favicons are not registered with nor regulated by a central authority.
Favicons are not cryptographically protected for authenticity or
integrity.
For these reasons, favicon use on web sites requiring user trust should be
considered a security anti-pattern. Favicons undermine the web security
context display in two ways. First, they appear to provide security
context but in reality do not. Second, they blur the distinction between
chrome and content.
Favicons could be made more secure if they were drawn from a logo registry
controlled by a central authority, or perhaps tied to signed DNSSEC
records, and browsers were changed to only display approved and
cryptographically protected favicons. The central authority would have to
prevent two sites from using visually similar logos.
Finally, it's worth noting that logographic extensions to X.509, which
many sites plan to use in future to visually brand their SSL certificates,
suffer from many of the same security problems as favicons.
I welcome feedback. I have not entered any of this in the wiki because I
feel it needs some group discussion first.
Thanks, Mike